BUG/MAJOR: mux_quic: fix invalid PROTOCOL_VIOLATION on POST data overlap

Stream data reception is incorrect when dealing with a partially new
offset with some data already consumed out of the RX buffer. In this
case, data length is adjusted but not the data buffer. In most cases,
ncb_add() operation will be rejected as already stored data does not
correspond with the new inserted offset. This will result in an invalid
CONNECTION_CLOSE with PROTOCOL_VIOLATION.

To fix this, buffer pointer is advanced while the length is reduced.

This can be reproduced with a POST request and patching haproxy to call
qcc_recv() multiple times by copying a quic_stream frame with different
offsets.

Must be backported to 2.6.

diff --git a/src/mux_quic.c b/src/mux_quic.c
index ff0b8eab8619f6aa315ff49b7ae51bdc1b289999..055c82d31643f7002fcad3f23e90b7464614c4e0 100644 (file)
--- a/src/mux_quic.c
+++ b/src/mux_quic.c
@@ -789,7 +789,10 @@ int qcc_recv(struct qcc *qcc, uint64_t id, uint64_t len, uint64_t offset,
 
        TRACE_DEVEL("newly received offset", QMUX_EV_QCC_RECV|QMUX_EV_QCS_RECV, qcc->conn, qcs);
        if (offset < qcs->rx.offset) {
-               len -= qcs->rx.offset - offset;
+               size_t diff = qcs->rx.offset - offset;
+
+               len -= diff;
+               data += diff;
                offset = qcs->rx.offset;
        }